[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
$ b. v" G; ^& S' r) U& A. N
Keyboard Interrupt Hook using I/O APIC

By: chpie
# @' P5 {# Z* I: N. Q6 p  t- YKeyboard Interrupt Hooking by manipulating the I/O APIC
tested on the winXP, Pentium D Hyper-threading Enabled.


, k+ K6 j. y9 {& ^Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
0 m7 z/ E. R9 [' e& Uthe I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
4 ], @' h3 D% h/ \vector from the I/O APIC.
( y* I+ F" m9 F9 d3 Q
! b& y/ d9 Q7 @( a6 x$ j3 o4 \7 tFlow ::

1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
* b) ~* z2 c$ x! G/ x5. A processor receives the signal.
/ j3 U/ p; j+ Y/ W& [" V& m% Y" w+ d6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
9 J' O# Z! b7 t2 x$ |8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
7 G% D8 g& _8 i# U' a: b" Ifor ExtINT to its Delivery mode.
10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
. @& G# k+ X  k: |+ }$ E  L11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

7 h3 [- A8 b- q% q3 V# f  U
" b4 u+ D5 ^9 V( \sourcecode and binary are available on the
4 E( B+ A4 ~* z" C1 b+ fhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip